Changes to Default Behavior
Focus
Focus

Changes to Default Behavior

Table of Contents
End-of-Life (EoL)

Changes to Default Behavior

Changes to the default behavior in PAN-OS® 9.1.
The following table details the changes in default behavior upon upgrade to PAN-OS® 9.1. You may also want to review the CLI Changes in PAN-OS 9.1 and the Upgrade/Downgrade Considerations before upgrading to this release.
FeatureChange
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license). Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
PAN-OS REST API request parameters and error responses
  • The REST API methods now accept the API key only through a custom HTTP header and no longer as a query parameter. To authenticate your REST API request to the firewall or Panorama, use the custom HTTP header X-PAN-Key: <key> to include the API key in the HTTP header. This change applies only to the REST API; the XML API is unchanged.
  • The REST API methods now implement both rename and move with custom HTTP mappings instead of action query parameters. Examples of the new and previous conventions are below.
    Rename an address:
    • New convention: POST /restapi/<version>/objects/addresses:rename
    • Replaces: POST /restapi/<version>/objects/addresses?action=rename
    Move a security policy rule:
    • New convention: POST /restapi/<version>/policies/securityrules:move
    • Replaces: POST /restapi/<version>/policies/securityrules?action=move
  • There is a new error response format for all REST API methods. This new format offers consistent and reliable error reporting that includes both human-readable messages and parsable error codes. The format includes overall request status, product-specific error codes, and details that will give the caller the maximum amount of data available if an error does occur.
  • The REST API URIs now denote version with a v prefix for versions 9.1 and beyond. Examples of the new and previous conventions are below:
    • New convention: GET /restapi/v9.1/objects/addresses
    • Replaces: GET /restapi/9.0/objects/addresses
URL Category Lookup Timeout
Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five.
Also, you can now adjust this timeout in the web interface by navigating to DeviceSetupContent-ID and changing the value for Category lookup timeout.
Web Interface Configuration to Hold Web Requests During URL Category Lookups
The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to DeviceSetupContent-ID and checking the box next to Hold client request for category lookup.
GlobalProtect Host Information
On the ACC, the GlobalProtect Host Information widget under the Network Activity tab is now renamed HIP Information.
SCTP Service Object
In PAN-OS 9.1 and later versions, the Stream Control Transmission Protocol (SCTP) service object is no longer supported in policy rules.
SD-WAN Auto VPN Configuration
(PAN-OS 9.1.2 and SD-WAN Plugin 1.0.2)
Auto VPN configuration no longer creates VPN tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2 and SD-WAN Plugin 1.0 2 and push the configuration from Panorama, Panorama removes the VPN tunnels between hubs that it previously created.
SAML Authentication
(PAN-OS 9.1.3 and later 9.1 releases)
To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate on the SAML Identity Provider Server Profile.
  • Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.
PA-7000 Series Firewall Memory Limit for the Management Server
(PAN-OS 9.1.5 and later 9.1 releases)
As of PAN-OS 9.1.5, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use:
debug software resource-control enable
To disable resource-control groups, use:
debug software resource-control disable
To set the memory limit, use:
debug management-server limit-memory enable
To remove the memory limit, use:
debug management-server limit-memory disable
Reboot the firewall to ensure the memory limit change takes effect.
OSPF
In prior releases, redistributed static routes in OSPF had the forwarding address set to 0.0.0.0 unconditionally. Beginning with PAN-OS 9.1, the forwarding address is set to the next hop if the next hop is part of the OSPF domain; otherwise, the forwarding address is set to 0.0.0.0.
IKEv2
(PAN-OS 9.1.13 and later 9.1 releases)
Prior to PAN-OS 9.1.13, when one end of an IKEv2 tunnel was a PAN-OS firewall, even if an IKEv2 tunnel was configured with SHA2 authentication (sha512, sha384, or sha256), PAN-OS always used SHA1 authentication. Beginning with PAN-OS 9.1.13:
  • If an IKEv2 tunnel is configured with SHA2 authentication only, PAN-OS uses SHA2 authentication only.
  • If an IKEv2 tunnel is configured with SHA2 and SHA1 authentication, PAN-OS accepts SHA1 authentication as a responder if SHA2 verification fails.
Scheduled Log Export
(PAN-OS 9.1.13 and later 9.1 releases)
Scheduled log exports (DeviceLog Export) may not export logs as scheduled if multiple logs are scheduled to export at the same time.
Workaround: When scheduling your log exports, maintain at least 6 hours between each scheduled log export.
Proxy Decryption (PAN-OS 9.1.12 and later releases)
Beginning in PAN-OS 9.1.12, the firewall denies web sessions if a client presents a truncated Client Hello message that lacks critical information, such as supported cipher suites and TLS versions. Without this information, the firewall can't accurately decrypt the session.
Sessions with traffic excluded from decryption might also be denied if the Client Hello is truncated and missing critical information.
If critical information is present in the truncated Client Hello, the firewall attempts decryption. Specifically, the firewall examines the first packet of the truncated Client Hello for the Server Name Indication (SNI) extension. The firewall can use the SNI value to identify and apply the matching Decryption policy rule to the traffic. In the absence of an SNI value in the first packet, the firewall makes a best-effort match to a Decryption policy rule.
SNI parsing is opportunistic. Even if an SNI value is present in the first packet, a Decryption policy rule mismatch can occur.
In PAN-OS 9.1 and earlier, the firewall attempted to decrypt web sessions with incomplete Client Hello messages even if the message was missing critical information. SNI values were not used to match traffic with a Decryption policy rule. This made traffic more susceptible to policy rule mismatches.
To allow the firewall to process web sessions with incomplete Client Hellos that are missing critical information, use the debug proxy discard-partial-client-hello enable no CLI command. The firewall will also examine the first packet for an SNI value. The CTD engine will discard sessions if its traffic matches a known threat pattern. If the traffic doesn't match a known threat, the CTD engine may allow the session to continue undecrypted.
Test SCP Server Connection
PAN-OS 9.1.16 and later releases
To test the SCP server connection when you schedule a configuration export (PanoramaSchedule Config Export) or log export (DeviceScheduled Log Export), a new pop-up window is displayed requiring you to enter the SCP server clear textPassword and Confirm Password to test the SCP server connection and enable the secure transfer of data.
You must also enter the clear text SCP server Password and Confirm Password when you test the SCP server connection from the firewall or Panorama CLI.
admin>test scp-server-connection initiate <ip> username <username> password <clear-text-password>